EU: EDPB adopts surveillance and supplementary transfer recommendations following Schrems II
The European Data Protection Board ('EDPB') announced, on 11 November 2020, that it had adopted recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data ('the Supplementary Transfer Measures Recommendations'), as well as complementary recommendations on the European Essential Guarantees for surveillance measures ('the Surveillance Recommendations') during its 41st plenary session. In particular, the EDPB outlined that both the Supplementary Transfer Measures Recommendations and the Surveillance Recommendations were adopted following the Court Justice of the European Union's ('CJEU') judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case'), with the former aiming to assist controllers and processors acting as data exporters with their duty to identify and implement appropriate supplementary measures where they are needed to ensure an essentially equivalent level of protection to the data they transfer to third countries. Moreover, the EDPB noted that the CJEU had allowed exporters to add measures that are supplementary to the Standard Contractual Clauses ('SCCs') to ensure effective compliance with that level of protection where the safeguards contained in SCCs are not sufficient.
In issuing the Supplementary Transfer Measures Recommendations, the EDPB highlighted that they are seeking a consistent application of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and the CJEU's ruling across the EEA. In addition, the EDPB outlined that the Supplementary Transfer Measures Recommendations contain a roadmap of the steps data exporters must take to find out if they need to put in place supplementary measures to be able to transfer data outside the EEA in accordance with EU law, and help them identify those that could be effective, as well as containing a non-exhaustive list of examples of supplementary measures that would assist data exports and their required conditions. However, the EDPB further stated that, in the end, data exporters are responsible for making the concrete assessment in the context of the transfer, the third country law and the transfer tool they are relying on, and that data exporters must proceed with due diligence and document their process thoroughly, as they will be held accountable to the decisions they take on that basis, in line with the GDPR principle of accountability. Moreover, the EDPB added that data exporters should know that it may not be possible to implement sufficient supplementary measures in every case. Finally, the EDPB noted that the Supplementary Transfer Measures Recommendations will be submitted for public consultation and will be applicable immediately following their publication.
In the relation to the Surveillance Recommendations, the EDPB outlined that they provide data exporters with elements to determine if the legal framework governing public authorities' access to data for surveillance purposes in third countries can be regarded as a justifiable interference with the rights to privacy and the protection of personal data, and therefore as not impinging on the transfer tool the data exporter and importer rely on as per Article 46 of the GDPR.
You can read the press release here.
UPDATE (11 November 2020)
EDPB publishes Supplementary Transfer Measures Recommendations and Surveillance Recommendations
The EDPB published, on 11 November 2020, the Supplementary Transfer Measures Recommendations and the Surveillance Recommendations. In particular, the Supplementary Transfer Measures Recommendations address, among other things, the principle of accountability within data transfers, to be applied in accordance with the following steps:
- know the transfers;
- identify the transfer mechanism to rely on;
- assess whether the adopted transfer mechanism is effective;
- adopt supplementary measures;
- after the identification of effective supplementary measures, address the procedural steps related to the specific transfer mechanism; and
- monitor and re-evaluate the assessment at appropriate intervals.
In addition, Annex 2 of the Supplementary Transfer Measures Recommendations contains an non-exhaustive list of supplementary measures examples, including:
- technical measures;
- additional contractual measures; and
- organisational measures.
Furthermore, the Surveillance Recommendations identify the following European essential guarantees:
- clear, precise, and accessible rules for processing;
- demonstration of necessity and proportionality in relation to the legitimate objectives pursued;
- existence of an independent oversight mechanism; and
- existence of effective remedies for the individual.
The Supplementary Transfer Measures Recommendations will be available for public comments until 30 November 2020.